Passwords are, for the moment at least, still a security pain in the ass that just won’t go away. Not for the want of trying, and the efforts of Apple, Google and Microsoft, together with the Fido Alliance, to move people towards a passwordless future with the evolution of passkeys notwithstanding. While we are stuck with them, it’s vital to understand the risk attached to specific behaviors, such as forcing users to change their passwords regularly. At long last, it would seem there is some hope in sight when it comes to this risky mandate imposed by far too many organizations, with the National Institute of Standards and Technology in the process of drafting new password verifier standards that could reverse decades of bad practice.
When Changing Your Password Is A Bad Thing
The first passwords for computer users are generally accepted as being introduced in 1961 by a MIT professor, Fernando Corbato, after he built a time-sharing computer that needed to allow private access between users. Fast-forward a few decades, and the online world started taking off, which was the beginning of the rise and fall of the humble password as an effective method of verifying the identity of a user.
Certainly, when I first started my adventures in the online world of bulletin boards, Usenet newsgroups and Internet Relay Chats, passwords were simplistic, short and memorable. No real thought went into creating them beyond that memorable aspect, not least as there weren’t that many people looking to hack them at the time. I plead the fifth regarding whether I was one of those people. Most people used simple passwords, often the same one across multiple accounts. To a large degree, that hasn’t changed; what has is the number of hackers out there intent on cracking them. Which brings me to the point about changing passwords. Organizations have been requiring their users to change passwords regularly, often no longer than 60 days, to reduce the risk of them getting hacked. Or at least that’s been the theory behind the practice.
The U.K. National Cyber Security Centre has advised against forced password changes since at least 2015 when it published a guide to password administration for system owners. When users are forced to change their password, the NCSC warned, “the chances are that the new password will be similar to the old one.” And that pretty much sums it up in a nutshell: hackers look for patterns when it comes to passwords, users look to patterns when it comes to password replacement. After all, if you’ve remembered your password is ‘password-one” for the last two months, you will remember it is password-two for the next couple.
The NCSC describes it as being a counter-intuitive security scenario, and I agree 100%. The more that users are forced to change a password, the greater the risk that it can be successfully cracked. The overall vulnerability risk increases with each change as an attacker can often work out the new one if they have the old one, and if the user is forced to change the password string entirely, they will usually opt for something weaker that’s more easily remembered and entered.
The NIST Digital Identity Guidelines For Password Verifiers In 2024
In the past, the National Institute of Standards and Technology has recommended that organizations enforce password expiration every 365 days, a timescale that I and a lot of security professionals think remains too frequent. Now, it would seem, NIST has had a long-overdue change of heart. The latest Digital Identity Guidelines for Authentication and Authenticator Management, published in August 2024, addresses the issue in section 3.1.1.2. Password Verifiers.
This standard, as employed by organizations world-wide, now states that users “shall not require users to change passwords periodically.” However, in the case of known compromise, password should, of course, force a change. This is common sense and should be applauded.
Equally, and another bugbear of mine, is how some services require you to create a password that meets certain rules such as being between 8 and 20 characters, or including certain special keyboard characters but excluding others, and so on. This leads to ridiculous scenarios where a very strong password such as “se-*55Gb3PTsGgM:xVFJZrQ0y”?#*G” is disallowed yet a weak one like “P@ssw0rd” is perfectly fine. NIST has now deemed that there shall not be such an imposition of composition rules beyond the requirements it says must apply to all passwords, namely:
- Passwords shall be a minimum of eight characters but should be a minimum of 15.
- Passwords should be permitted up to a maximum of at least 64 characters.
- Passwords should be allowed to include all printing ASCII characters, the space character and Unicode characters.
Above all else, and I cannot stress this enough, it’s my opinion and that of many security professionals at the sharp end of the business, that users should be encouraged to use password managers and educated on how best to use them. This enables unique and complex passwords to be created for every account and, with the likes of Apple now including a free password app for iPhone and Mac users, such programs are becoming increasingly easy to use.